Solved

Setting permissions on Network folders

Posted on 2013-05-30
3
228 Views
Last Modified: 2013-06-27
Hi
I have been having some issues setting up permissions on folders that I have created on a new file server.
Here is what I have done so far:
I have a Win2008R2 Ent. file server with all the roles installed.
A SAN drive is attached to the file server and on that SAN drive I have created a folder called Departments and shared it. This folder is going to be the root folder. Under that folder, I have created several sub folders.
Let’s just say the folders are:
Acct
Admin
Finance
HR
Eng
Eexcs
IT
Man
CS


My plan is to have each group have read/write access only to their departmental folder.
They should not be able to access folders belonging to the other departments. Accounting should only access acct folder, HR group should only access HR, Admin should only access the admin folder, etc.

Permission on the departments root folder is set up as shown below:
Domain admin has full control
FS admins has FULL control
Domain users have list control




And here is how permission is set up on one of the sub folders:
Let’s take the Finance group.
Finance Group has Read/Write
Domain Admins has Full cont.
Domain user has list

What I want to accomplish here is that I don’t want domain users group to list the contents of the folders.


Right now they can do that.
I removed the domain users group from the folder, but after doing that, the Finance group couldn’t access the folder at all. So I ended up putting it back. So please if anyone can give me a help, I would appreciate it.
Edit/Delete Message
0
Comment
Question by:bb8176
3 Comments
 
LVL 4

Expert Comment

by:Rsilva98
ID: 39208569
Add the corresponded group to each share. Also remove the inherit option on the root folder.
0
 

Accepted Solution

by:
93SysAdmin9393 earned 500 total points
ID: 39208892
I would recommend following the Microsoft best practices for security group nesting to assign permission to resources.  In the long run it gives you a very good idea of what users or groups will have access to various shared resources.  

Assign permissions to resources to Domain Local groups, make Global group members of the Domain Local group, and then put your users in the Global groups.  If you want to know who has permission to a particular folder, just find the domain local group assigned to it and see who is a member.

Also you will only want your admins to have Full Control, the highest permission that you will want your mortal users to have is "modify", but I think that you've got that covered.

For instance take the Finance folder:

Remove inheritance from the folder (as previously suggested).

Create a Domain local group called "Finance Full-Control", put your domain admins security group and your "FS Admins" Global security group in it and give that group full control NTFS permissions on that folder.

Create a Domain local group "Finance Modify" and assign modify permissions on that folder to that group.

Create a Global group called "Finance Users" and make that group a member of the "Finance Modify" domain local group.

Put your finance department users into the "Finance Users" group.

Finally, open the Share and Storage Management console and choose your share, choose properties, then advanced properties and choose "Enable access-based enumeration".  That will make it so that only users with access to a particular folder will be able to see it, to everybody else it will appear that it does not exist.

I think that I covered all of the steps and I hope that helps.
0
 

Author Closing Comment

by:bb8176
ID: 39282409
This worked for me.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now